Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
On July 6, 2023, the first sanction imposed by the Brazilian Data Protection Agency (“ANPD”) against a company (controller) in Brazil was published in the official gazette. The ANPD is the agency charged with enforcing Brazil’s General Data Protection Law (“LGPD”).
The publication does not provide the details about the results of the investigation conducted by the ANPD against a company, but the sanctions provide a glimpse of the underlying circumstances.
The sanctions included:
- A Warning, without the imposition of corrective measures, for violation of article 41 of the LGPD (appointment of a Data privacy Officer (DPO);
- A “Simple Fine” of R$ 7,200 (~$1,480 USD) for violation of article 7 of the LGPD (legal basis for processing personal data);
- A Simple Fine of R$7,200 (~$1,480 USD) for violation of article 5 of the Auditing Regulations (obligation of controller/processor to cooperate with the ANPD).
The company is a Brazilian “micro company,” as defined by law, which provides telemarketing services. Micro companies are those with an annual revenue of up to R$360,000 (~$74,000 USD), among other requirements. Such micro companies enjoy some differentiated treatment, including under the Brazilian data protection law and regulations, and such status may have been taken into consideration by the ANPD when setting what seems like a lenient sanction.
Whether ANPD will continue to be light on their sanctions is yet to be seen, but more prominent companies that are already being investigated, as we reported in March, may face much steeper fines and possibly corrective measures.
We will continue to monitor the legal developments. The company now has the option to appeal the decision or pay the fines with a 25% discount.
This case is a good reminder to employers in Brazil that the LGPD applies to companies of all sizes, and all employees’ personal data is covered under the LGPD.